CryptoJacky Ransomware - How To Remove?

 

CryptoJacky (actually, according to the code-structure of this virus, it is already a version 2 of CryptoJacky) is the name that will be applied to a ransomware variant, targeting Spanish-speaking users. The virus will add a whole series of executables into the infected system and each and every one of them will be responsible for different objectives. For instance, aescrypt.exe file will be assigned for the job of encrypting files with AES algorithm. Approximately 0.22106 BTC are required for the file-decryption process. However, CryptoJacky justifies the file encoding and blames the victim for initiating immoral online activity. Because of vile habits, all of his/her files are to be held hostage until a payment of 250 euros will be sent to the following bitcoin wallet: lH7YGm35zVJWU4GrqZ2nq4kDvXNfkwfhxd. Main aspects about the ransomware will be explained in two files: ransom-instructions.lnk and ransom-information.lnk. Both of them will urge users to buy a password to recover their data, but you are not to surrender.

Explaining CryptoJacky ransomware in more depth

Even though the primary target for CryptoJacky virus is the Spanish-speaking visitors of the World Wide Web, that might not be a restriction for its transmission. Distribution of CryptoJacky might not be limited to the countries that understand Spanish but be a threat to other people from Europe or United States of America. If victims follow the scenario that hackers instruct them to play out, they are expected to send an email letter to ransom_ph@mail2noble.com address. Then the necessary password for file-recovery is allegedly provided, but we have very little hope in hackers actually implementing their promises to the fullest.

CryptoJacky virus will insert aescrypt.exe file for the sake of starting an encryption process and leaving the selected data no longer available for utilization. Based on the name of the executable, AES cipher is the expected tool to ruin files. Thus, the payload of this sample is identified to be called cryptoJacky-setup.exe which will supposedly initiate other necessary processes before aescrypt.exe can take the wheel. The primary changes in a device include modifications of Windows Registry Keys for the sake of achieving persistence. Connection to the C&C server is also an important feature as CryptoJacky virus informs its creators about a new infected device.

To finish this part of the article, we should mention that paying the ransom is unwise. For now, security researchers were not able to distinguish if the variant chooses to append an original extension to data it encodes. In order to recognize that you being bothered by this specific variant, pay attention to the ransom notes that get presented. In this case, they are displayed in forms of tables and are written in the Spanish-language.

Is there any hope for files that CryptoJacky ransomware corrupted?

Unfortunately, at the moment of writing this article, CryptoJacky virus is a very new variant and analysts were not able to construct a decryption tool. If you happen to be infected with this sample, make sure to share everything with the security analysts as the help is always appreciated. However, you can try other file-recovery tricks. For example, you should not hesitate to check whether Shadow Volume Copies are still available. If you have stored your files in backup storages, then you have little to worry about. If an infection like CryptoJacky virus strikes, you will only have to remove the malware and recover files from the facility you chose to protect your data. Do you stick to keeping files in one place (your hard drive)? This is not appropriate anymore.

Transmission of the payload of CryptoJacky virus

Ways that a payload of CryptoJacky can be distributed will be discussed in this part of the article. To start, we should mention probably the most popular technique to distribute ransomware: malicious email messages. They might be allegedly originating from important authorities, requiring you to answer ASAP. You should not do this. Letters with false statements will attempt to trick you into downloading attachments it features. If you wish to download the received file, at least be 100% sure of its reliability.

There are a couple of options to remove CryptoJacky virus. If you already have a reliable anti-malware tool, you won’t have any problem in using it to detect and eliminate this malware variant. Reimage, Spyhunter and Hitman are the possible candidates for those who have little knowledge about security tools. If you wish to find out how they should be installed, go to the Tutorials section in our page. Manual removal can only be implemented if you repeat the steps below. However, if you do not have a lot of experience in this field, we recommend you the first option.

How to recover CryptoJacky ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:


for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again. CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before CryptoJacky virus has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of CryptoJacky ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Reimage and remove all malicious files related to CryptoJacky virus. You can check other tools here.


Step 3. Restore CryptoJacky ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually CryptoJacky virus tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so.

Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer.

a) Native Windows Previous Versions

Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.


Previous version
b) Shadow Explorer

It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover CryptoJacky ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download Data Recovery Pro (commercial)
  • Install and scan for recently deleted files. Data Recovery Pro

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

     
 

About the author

 - Main Editor
I have started 2-viruses.com in 2007 after wanting to be more or less independent from single security program maker. Since then, we kept working on this site to make internet better and safer place to use.
 
March 8, 2017 09:44, March 10, 2017 01:58
 
   
 

Leave a Reply

Your email address will not be published. Required fields are marked *